Now we're allowing a lower bound for auth_len, ensure we

also check for an upper one (integer wrap).
Jeremy.

diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index ac491b9e53ce6ffdd9ddc2614bfb79c7819aba7a..6becfa42e86c590fe07132b55342619288f60abe 100644 (file)
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -2113,7 +2113,11 @@ bool api_pipe_schannel_process(pipes_struct *p, prs_struct *rpc_in, uint32 *p_ss
 
        auth_len = p->hdr.auth_len;
 
-       if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN) {
+       if (auth_len < RPC_AUTH_SCHANNEL_SIGN_OR_SEAL_CHK_LEN ||
+                       auth_len < RPC_HEADER_LEN +
+                                       RPC_HDR_REQ_LEN +
+                                       RPC_HDR_AUTH_LEN +
+                                       auth_len) {
                DEBUG(0,("Incorrect auth_len %u.\n", (unsigned int)auth_len ));
                return False;
        }